Cracker Breaks Into T-Mobile’s Network, Steals Customer Data

SecurityFocus HOME News: Hacker penetrates T-Mobile systems

A 21 year old cracker named Nicolas Jacobsen broke into T-Mobile’s network, and obtained confidential customer data

Jacobsen could access information on any of the Bellevue, Washington-based company’s 16.3 million customers, including many customers’ Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords providing customers with Web access to their T-Mobile e-mail accounts. He did not have access to credit card numbers.

If you’re a T-Mobile customer, I strongly suggest you keep an eye on your credit report and other indicators of identity theft.

Besides just sensitive customer information, the cracker was able to obtain internal Secret Service documents. How? Because a Secret Service agent did this:

[…] agents watched as the hacker surfed to “My T-Mobile,” and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York. Cavicchia was the agent who last year spearheaded the investigation of Jason Smathers, a former AOL employee accused of stealing 92 million customer e-mail addresses from the company to sell to a spammer. The agent was also an adopter of mobile technology, and he did a lot of work through his T-Mobile Sidekick — an all-in-one cellphone, camera, digital organizer and e-mail terminal. The Sidekick uses T-Mobile servers for e-mail and file storage, and the stolen documents had all been lifted from Cavicchia’s T-Mobile account

You’d think that a trained Secret Service agent, especially one who was involved in taking down someone for selling customer information to a spammer, and who was “an adopter of mobile technology”, would know better than to work with confidential Secret Service documents on something as unsecure as his Sidekick. *sigh*

UPDATE: T-Mobile issued a statement that only 400 customers’ data were exposed, and all 400 of them have been notified in writing.

UPDATE 2: Here’s a Wired article about the break in.